Bug#304712: avaMail allows directory traversal in attachments (CAN-2005-1105)
Joey Hess
Joey Hess <joeyh@debian.org>, 304712@bugs.debian.org
Thu Apr 14 21:55:03 2005
--FCuugMFkClbJLl1L
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: libgnumail-java
Version: 1.0
Severity: normal
Tags: security
CAN-2005-1105 describes a vulnerability in the JavaMail API:
MimeBodyPart.getFileName () method in the JavaMail API doesn't properly=
=20
validate filename attribute in Content-Disposition header, which makes it=
=20
vulnerable to directory traversal attacks. Successful exploitation of=20
this vulnerability allows writing arbitrary content in any directory=20
accessible to the servlet running JavaMail.
http://marc.theaimsgroup.com/?l=3Dbugtraq&m=3D111335615600839&w=3D2
Multiple imeplementations of this API are vulnerable, including
libgnumail-java. Unless each program using libgnumail-java does its own
checks of the filename for directory traversal attacks, this lack of
sanity checking can allow overwriting of a user's files.
I think this security hole is fairly theoretical at the moment since it
seems only ant in Debian uses libgnumail-java, and it seems to only use
it to send mail.
--=20
see shy jo
--FCuugMFkClbJLl1L
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD4DBQFCXuLid8HHehbQuO8RAkDLAJde6BzYtxcw2/AGsaIcM1+mL7SLAJ0fyPjh
qubDODnzWzB9BoPbG+P3Tg==
=pri+
-----END PGP SIGNATURE-----
--FCuugMFkClbJLl1L--